Strengthening the Supervision and Enforcement in the EU Cybersecurity Law: Are All Organisational Measures Created Equally?

Abstract

The Directive on Security of Network and Information Systems (NIS 1 Directive) provides that operators of essential services and digital service providers (regulated entities) shall take appropriate technical and organisational measures to manage the risks of cyber-attacks to their network and information systems. However, it is stated that they might externalise these risks to their users or society in the absence of the appropriate supervision. Therefore, they might be reluctant to comply with the requirements under NIS 1 Directive. EU Commission underlined that the lack of effective supervision and enforcement by the competent authorities (supervisory authorities). Thus, the EU Commission recently proposed a new version of the NIS Directive (NIS 2 Directive), which provides a stricter approach towards the legal framework for cybersecurity. For instance, the proposed NIS 2 Directive provides more investigative and enforcement power to the competent authorities to improve the current supervision and enforcement. However, due to the complexity of network and information systems protection, collaboration channels between regulated entities and supervisory authorities might be established to ensure compliance in addition to more investigative and enforcement power. Despite discussions in the literature about the extent to which the supervision and enforcement mechanism under the NIS Directive 1 can ensure effective compliance, how the collaboration between competent authorities and regulated entities contributes to the compliance with the NIS Directive has not been explored. In particular, the role of specific organisational measures, which have supervision/control function in this Directive and proposed NIS 2 Directive, have not been explored. This article argues that specific organisational measures, security impact assessment and independent security officers should be specifically inserted into the revised version of the NIS 2 Directive. This argument is based on the idea that those measures can establish collaboration channels between regulated entities and supervisory authorities to improve supervision and enforcement by supervisory authorities. To support this claim, firstly, this article addresses why regulatory intervention in the form of law is needed. In the same section, after analysing the scope of both Directives , this paper discusses the underlying reasons for imposing risk management obligations under the NIS Directive. Next, it explores the supervision and enforcement mechanisms available under both NIS Directive and the proposed NIS 2 Directive. After identifying the shortcomings of current oversight and enforcement mechanisms, the article proposes how collaboration channels can be developed through the imposition of security impact assessment and appointment of independent security officers. The relevant provisions of the General Data Protection Regulation (GDPR) on data protection impact assessment (Article 35 and Article 36) and data protection officers (Article 39) will be analysed to highlight how the collaborative elements of these organisational measures can play a role in supervision and enforcement. This article limits itself to the supervision and enforcement under NIS Directive and proposed NIS 2 Directive and does not analyse the relevant provisions of the GDPR on personal data security to clarify the supervison and enforcement in the cybersecurity irrespective of personal and non-personal data classification.